diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java index b11f87d43..317e0867a 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/AbstractControllerAuthenticationFilter.java @@ -12,11 +12,10 @@ package org.eclipse.hawkbit.security; import java.util.Arrays; import java.util.Collection; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; @@ -24,10 +23,9 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority; * An abstraction for all controller based security. Check if the tenant * configuration is enabled. */ +@Slf4j public abstract class AbstractControllerAuthenticationFilter implements PreAuthenticationFilter { - private static final Logger LOGGER = LoggerFactory.getLogger(AbstractControllerAuthenticationFilter.class); - protected final TenantConfigurationManagement tenantConfigurationManagement; protected final TenantAware tenantAware; private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner; @@ -52,7 +50,7 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe @Override public Boolean run() { - LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey()); + log.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey()); return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement .getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue()); } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java index 365cc6d83..76e5db383 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticateSecurityTokenFilter.java @@ -11,13 +11,12 @@ package org.eclipse.hawkbit.security; import java.util.Optional; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.ControllerManagement; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.repository.model.Target; import org.eclipse.hawkbit.tenancy.TenantAware; import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * An pre-authenticated processing filter which extracts (if enabled through @@ -25,13 +24,10 @@ import org.slf4j.LoggerFactory; * security-token with the {@code Authorization} HTTP header. * {@code Example Header: Authorization: TargetToken * 5d8fSD54fdsFG98DDsa.} - * - * - * */ +@Slf4j public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractControllerAuthenticationFilter { - - private static final Logger LOGGER = LoggerFactory.getLogger(ControllerPreAuthenticateSecurityTokenFilter.class); + private static final String TARGET_SECURITY_TOKEN_AUTH_SCHEME = "TargetToken "; private static final int OFFSET_TARGET_TOKEN = TARGET_SECURITY_TOKEN_AUTH_SCHEME.length(); @@ -66,11 +62,11 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro final String controllerId = resolveControllerId(securityToken); final String authHeader = securityToken.getHeader(DmfTenantSecurityToken.AUTHORIZATION_HEADER); if ((authHeader != null) && authHeader.startsWith(TARGET_SECURITY_TOKEN_AUTH_SCHEME)) { - LOGGER.debug("found authorization header with scheme {} using target security token for authentication", + log.debug("found authorization header with scheme {} using target security token for authentication", TARGET_SECURITY_TOKEN_AUTH_SCHEME); return new HeaderAuthentication(controllerId, authHeader.substring(OFFSET_TARGET_TOKEN)); } - LOGGER.debug( + log.debug( "security token filter is enabled but requst does not contain either the necessary path variables {} or the authorization header with scheme {}", securityToken, TARGET_SECURITY_TOKEN_AUTH_SCHEME); return null; diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java index 122793a8d..bdee7c768 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedGatewaySecurityTokenFilter.java @@ -9,11 +9,10 @@ */ package org.eclipse.hawkbit.security; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * An pre-authenticated processing filter which extracts (if enabled through @@ -23,14 +22,10 @@ import org.slf4j.LoggerFactory; * gateway security token which can be set via the {@code TenantsecurityToken} * header. {@code Example Header: Authorization: GatewayToken * 5d8fSD54fdsFG98DDsa.} - * - * - * */ +@Slf4j public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends AbstractControllerAuthenticationFilter { - - private static final Logger LOGGER = LoggerFactory - .getLogger(ControllerPreAuthenticatedGatewaySecurityTokenFilter.class); + private static final String GATEWAY_SECURITY_TOKEN_AUTH_SCHEME = "GatewayToken "; private static final int OFFSET_GATEWAY_TOKEN = GATEWAY_SECURITY_TOKEN_AUTH_SCHEME.length(); @@ -61,12 +56,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra if (authHeader != null && authHeader.startsWith(GATEWAY_SECURITY_TOKEN_AUTH_SCHEME) && authHeader.length() > OFFSET_GATEWAY_TOKEN) { // disables empty string token - LOGGER.debug("found authorization header with scheme {} using target security token for authentication", + log.debug("found authorization header with scheme {} using target security token for authentication", GATEWAY_SECURITY_TOKEN_AUTH_SCHEME); return new HeaderAuthentication(securityToken.getControllerId(), authHeader.substring(OFFSET_GATEWAY_TOKEN)); } - LOGGER.debug( + log.debug( "security token filter is enabled but request does not contain either the necessary security token {} or the authorization header with scheme {}", securityToken, GATEWAY_SECURITY_TOKEN_AUTH_SCHEME); return null; @@ -88,7 +83,7 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra @Override public String run() { - LOGGER.trace("retrieving configuration value for configuration key {}", + log.trace("retrieving configuration value for configuration key {}", TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY); return systemSecurityContext diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java index 5ddb652e2..bb26f3ed0 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/ControllerPreAuthenticatedSecurityHeaderFilter.java @@ -13,6 +13,7 @@ import java.util.Arrays; import java.util.List; import java.util.stream.Collectors; +import lombok.extern.slf4j.Slf4j; import org.eclipse.hawkbit.repository.TenantConfigurationManagement; import org.eclipse.hawkbit.tenancy.TenantAware; import org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationProperties.TenantConfigurationKey; @@ -23,11 +24,10 @@ import org.slf4j.LoggerFactory; * A pre-authenticated processing filter which extracts the principal from a * request URI and the credential from a request header in a the * {@link DmfTenantSecurityToken}. - * */ +@Slf4j public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractControllerAuthenticationFilter { - - private static final Logger LOGGER = LoggerFactory.getLogger(ControllerPreAuthenticatedSecurityHeaderFilter.class); + private static final Logger LOG_SECURITY_AUTH = LoggerFactory.getLogger("server-security.authentication"); private final GetSecurityAuthorityNameTenantRunner sslIssuerNameConfigTenantRunner = new GetSecurityAuthorityNameTenantRunner(); @@ -83,11 +83,11 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont final String knownSslIssuerConfigurationValue = tenantAware.runAsTenant(securityToken.getTenant(), sslIssuerNameConfigTenantRunner); final String sslIssuerHashValue = getIssuerHashHeader(securityToken, knownSslIssuerConfigurationValue); - if (commonNameValue != null && LOGGER.isTraceEnabled()) { - LOGGER.trace("Found commonNameHeader {}={}, using as credentials", caCommonNameHeader, commonNameValue); + if (commonNameValue != null && log.isTraceEnabled()) { + log.trace("Found commonNameHeader {}={}, using as credentials", caCommonNameHeader, commonNameValue); } - if (sslIssuerHashValue != null && LOGGER.isTraceEnabled()) { - LOGGER.trace("Found sslIssuerHash ****, using as credentials for tenant {}", securityToken.getTenant()); + if (sslIssuerHashValue != null && log.isTraceEnabled()) { + log.trace("Found sslIssuerHash ****, using as credentials for tenant {}", securityToken.getTenant()); } if (commonNameValue != null && sslIssuerHashValue != null) { @@ -129,8 +129,8 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont String foundHash; while ((foundHash = securityToken.getHeader(String.format(sslIssuerHashBasicHeader, iHeader))) != null) { if (knownHashes.contains(foundHash.toLowerCase())) { - if (LOGGER.isTraceEnabled()) { - LOGGER.trace("Found matching ssl issuer hash at position {}", iHeader); + if (log.isTraceEnabled()) { + log.trace("Found matching ssl issuer hash at position {}", iHeader); } return foundHash.toLowerCase(); } diff --git a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/PreAuthTokenSourceTrustAuthenticationProvider.java b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/PreAuthTokenSourceTrustAuthenticationProvider.java index 80fa1bd4c..f66e8ed8f 100644 --- a/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/PreAuthTokenSourceTrustAuthenticationProvider.java +++ b/hawkbit-security-integration/src/main/java/org/eclipse/hawkbit/security/PreAuthTokenSourceTrustAuthenticationProvider.java @@ -13,8 +13,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import lombok.extern.slf4j.Slf4j; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.InsufficientAuthenticationException; @@ -36,13 +35,10 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA * from e.g. a certificate provided by an reverse proxy. Due this request is * only allowed from a specific source address this authentication manager can * also check the remote IP address of the request. - * - * - * */ -public class PreAuthTokenSourceTrustAuthenticationProvider implements AuthenticationProvider { - - private static final Logger LOGGER = LoggerFactory.getLogger(PreAuthenticatedAuthenticationToken.class); +@Slf4j +public class PreAuthTokenSourceTrustAuthenticationProvider implements AuthenticationProvider + private final List authorizedSourceIps; /** @@ -154,7 +150,7 @@ public class PreAuthTokenSourceTrustAuthenticationProvider implements Authentica if (!(tokenDetails instanceof TenantAwareWebAuthenticationDetails)) { // is not of type WebAuthenticationDetails, then we cannot // determine the remote address! - LOGGER.error( + log.error( "Cannot determine the controller remote-ip-address based on the given authentication token - {} , token details are not TenantAwareWebAuthenticationDetails! ", tokenDetails); success = false;